setproctitle [was: How do I change a process name or even a thread name in python!]

Jeff Epler jepler at inetnebr.com
Wed Feb 14 15:14:30 CET 2001


On Tue, 13 Feb 2001 19:16:53 -0500 (EST), Steven D. Majewski
 <sdm7g at virginia.edu> wrote:
>The actual args to (C) setproctitle is a format string and optional
>args, but it makes more sense to do any string formatting in Python,
>and just pass that string. 

Actually, this is unsafe, and has been the cause of a number of bugs 
recently exposed on Bugtraq.

Imagine that you are writing an ftp server which uses 'setproctitle' to
change its process name to give information including the e-mail address an
anonymous user gave when he logged in.  The user might pass a string like
"%x%x%x%x", which will be treated as printf-style specifiers by setproctitle.

So, rather than
	setproctitle(new_title);
you must
	setproctitle("%s", new_title);
to be safe.

See bugtraq or search for "setproctitle format vulnerability" for more
details on this potential security risk.  One URL:
	http://www.hert.org/papers/format.html

Unfortunately, that means the convenience function in the posix module
can't be used.

Jeff
jepler at inetnebr.com



More information about the Python-list mailing list